Solved: snmp & ntp

adamgibs7 · ‎02-26-2018

Dears,

I Have 3 question here please answer

I have a perimeter firewall which is connecting to the internet ,DR and extranets, I have a switches in DR & some switches kept in other company premises (extranets) which are routing through firewall is it preferable to configure snmp on these switches and get the snmp traffic to my internal LAN.

what is best practice to configure NTP on a perimeter firewall at present it is connected to core and core is acting as a NTP server.

what security precautions has to be taken for the external switches which are connecting to ISP, extranets and many other neighbor building for the connectivity to our internal LAN.

Thanks

mvsheik123 · ‎03-02-2018

Hello,

The question is - Are you 100% responsible for managing all those extranet switches and not knowing whats happening with those switches put you in tough spot? If yes... then I would do it with v3 (more secure) by allowing specific IPs v3 traffic only thru fw. Also, I would consider different v3 Pass for different extranet hardware (may be hard to manage but secure).

If the answer is 'no one' question you- then your call.

Or you can consider using any freely available SNMP servers (google for those) and place this new server in DMZ and use only for extranet related gear.

hth

MS

View solution in original post

mvsheik123 · ‎02-26-2018

Hi,

Here are few things...

1.preferable to configure snmp on these switches: If possible move SNMP server to DMZ and configure/allow SNMPv3 and from specific source IPs.

2. NTP on a perimeter firewall: If it is at edge of network, then you can use public ntp servers:

https://tf.nist.gov/tf-cgi/servers.cgi

3. security precautions has to be taken for the external switches: Per your post, these appears to be directly connected to ISP and in turn communicates with your LAN: If all these services can be moved from your LAN to DMZ..good. I know there may be lot of challenges in doing that.. so- if you manage those switches- make sure to address vulnerabilities, Vlan based ACLs, limited admin access with SSH only, and last but not least see if you can add additional (port based) ACLs on firewall for incoming traffic.

hth

MS

adamgibs7 · ‎02-28-2018

Dear,

Its my monitoring server that I cannot keep in the DMZ becz the internal servers and switches are all added in that server

Is it these NTP servers are free.

actually confused between port acl and Vlan acl, I have read the guide but no clear understanding

thanks

mvsheik123 · ‎03-01-2018

Hi,

-> Yes..I understand the complexity in moving snmp to DMZ. snmp v3 can be used.

-> AFAIK.. all those ntp servers are free.

-> What I meant by Vlan ACL is - normal standard/extended ACLs on Vlan interfaces where you allow required communication within subnets.

Check the below link for vpn filters:

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

hth

MS

adamgibs7 · ‎03-01-2018

Dear,

So for snmp server v3 I should add remote devices which are on WAN & External Internet switches to get them in inside network for snmp trap , is it a best practice , YES or NO

mvsheik123 · ‎03-02-2018

Hello,

The question is - Are you 100% responsible for managing all those extranet switches and not knowing whats happening with those switches put you in tough spot? If yes... then I would do it with v3 (more secure) by allowing specific IPs v3 traffic only thru fw. Also, I would consider different v3 Pass for different extranet hardware (may be hard to manage but secure).

If the answer is 'no one' question you- then your call.

Or you can consider using any freely available SNMP servers (google for those) and place this new server in DMZ and use only for extranet related gear.

hth

MS